Leveling Up Fuzzing: Finding more vulnerabilities with AI
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security Team Recently, OSS-Fuzz reported 26 new vulnerabilities...
Hasnain says:
Today’s technical read: how past colleagues over at Google have been using LLMs to automate vulnerability discovery. Some interesting takeaways for me were:
* providing specific context really matters
* LLMs can automate the full life cycle of what a human does, it just needs to be broken down into manageable chunks (and agents are promising). I’m hoping to cover a bit of this in a personal blog soon.
* this is worth reading even if you don’t know anything about fuzzing, as it applies to general test generation too
* LLMs make some things so much easier, when I contrast this post with work we did on [ thing I wish I could talk about but can’t due to NDA, past coworkers know what I’m talking about - could you please blog about it? :) ]
“This blog post discusses the results and lessons over a year and a half of work to bring AI-powered fuzzing to this point, both in introducing AI into fuzz target generation and expanding this to simulate a developer’s workflow. These efforts continue our explorations of how AI can transform vulnerability discovery and strengthen the arsenal of defenders everywhere.”
Posted on 2024-12-09T07:00:09+0000